Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Investigating Web Defacement Campaigns at Large

2,523 views

Published on

Website defacement is a very common attack. We know that hackers attack websites everyday. After websites are compromised, web pages could be altered by hackers.
Hackers usually leave some messages in deface pages, like who they are, why they attack.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Investigating Web Defacement Campaigns at Large

  1. 1. Investigating Web Defacement Campaigns at Large Federico Maggi, Marco Balduzzi, Ryan Flores, Lion Gu, Vincenzo Ciancaglini Trend Micro, Forward-Looking Threat Research
  2. 2. # of Records Per Reporting Site Source Site URL #Records Zone-H www.zone-h.org 12,303,240 Hack-CN www.hack-cn.com 386,705 Mirror Zone www.mirror-zone.org 195,398 Hack Mirror www.hack-mirror.com 68,980 MyDeface www.mydeface.com 37,843 TOTAL 12,992,166
  3. 3. Metadata Raw content
  4. 4. Records Per Year
  5. 5. Topics Over the Years Security Problems Real World Events
  6. 6. Adoption of Malicious Content in Deface Pages
  7. 7. Key Observation: Deface Page Template
  8. 8. Process of Analyzing Deface Pages
  9. 9. Process of Analyzing Deface Pages
  10. 10. Process of Analyzing Deface Pages
  11. 11. Process of Analyzing Deface Pages
  12. 12. Feature Extraction Image Social handler Text Page title Background color
  13. 13. Feature Extraction Multimedia URL Email address
  14. 14. Clustering • BIRCH (Balanced Iterative Reducing and Clustering Hierarchies) • Statistics values are efficient to compute • Quickly find the closest cluster for each new data points
  15. 15. Similar Deface Pages in One Cluster
  16. 16. Similar Deface Pages in One Cluster
  17. 17. Real-World Validation
  18. 18. How Attackers Are Organized 50% actors join at least one team
  19. 19. Various Campaigns for “Charlie Hebdo” Attacks
  20. 20. Campaign and Defacer Team Campaign Team
  21. 21. Team and Defacer Campaign Team Defacer
  22. 22. Overview of “Charlie Hebdo” Attacks Campaign Team Defacer
  23. 23. Long Term Campaigns
  24. 24. Aggressive Campaigns
  25. 25. MostTargetedTLDs
  26. 26. MostTargetedTLDs
  27. 27. Israeli-Palestinian Conflict
  28. 28. Conclusion • Conduct a large-scale measurement • 13M records spanning 19 years • Introduce an approach to semi-automatically detect defacement campaigns • Show how our approach empowers the analyst in understanding modern defacements • Live campaigns in the real world • Social structure of actors • Modus operandi • Motive, especially political reason
  29. 29. THANK YOU Q&A

×